Hello friends,

Today I am going to write about a vulnerability that may motivate some beginners who are struggling to find their first bug. It is the ‘OTP login rate limit bypass’. If you are a beginner in bug bounty I suggest you test for this kind of issue which is easier to find when compared to the other technical bugs. Search for web applications or mobile apps that allow the user to login using the OTP.

I searched for the Indian startup web applications and luckily I was able to find some applications that allowed login this way. The write-up is about such a finding and the method I followed.

So, I selected this particular web application and on the login page, I entered my mobile number and requested the one-time password. I received a 6 digit number on my phone but I tried entering the wrong 6 digits in the application after opening the network tab of the Firefox browser to monitor the web request. I was treated with an error message that says ‘Invalid OTP’. I resent the same invalid OTP several times to check if there is any rate-limit. As expected, after 8 attempts I began to receive “a number of tries that exceeded” message. Then I forwarded the request to the burp repeater and started tampering with each parameter. I noticed a header named did with random numbers as its value. I was sure that the header is some kind of identification of the user. I added some random numbers to that value and fired the request. That’s it!!

I again received the error message that says ‘Invalid OTP’ instead of the ‘number of tries exceeded’ message. Giving any random number to the value of udid header in each request was bypassing the rate limit. So using this vulnerability I can request an OTP for the victim’s account and keep entering the whole 6 digit numbers until I find the right one. Using the burp intruder tool it is very easy to do this.

I reported it immediately.

Fix and the bypass

The bug was fixed soon by the company so that changing the udid will no longer work. They asked me to test again. Then I tried switching my IP address to check if the rate limit was based on the IP address. But it didn’t work. Then I again started tampering with the parameters. I encoded the country code in the mobile number and it didn’t work. I added space in between the mobile number but that also didn’t work either. Later I added space at the end of the mobile number and it worked. So adding one space per request at the end of the mobile number will bypass the rate limit. I again reported this and it was later fixed. I received a swag from the company for finding this security issue.